The Windows Error Reporting (WER) service, which runs with SYSTEM privileges, interacts with registry keys to store and process crash reports. The vulnerability stems from weak access controls on these registry keys, allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Initializes Native APIs by loading necessary Windows APIs for low-level operations Modifies the Registry to hijack WerFault.exe by setting a malicious Debugger key Locks Resources by creating lock files and manipulating registry keys to ensure uninterrupted execution Triggers the Vulnerability by calling ReportFault, forcing the Windows Error Reporting service to execute the malicious payload Escalates Privileges by executing arbitrary code with SYSTEM-level privileges through the hijacked WerFault.exe Cleans Up by removing traces like the Debugger key and temporary files to avoid detection.
CVE Link
Exploit Platform
Exploit Type
Product Name